Two Men Admit to $10 Million Dollar Hacking Spree on Subway Sandwich Shops
Executive Summary:
Two men from Romania have admitted to participating in the hack of Subway Restaurant’s and will be spending a considerable time in prison. The events, which happened from 2009 through 2011, hacked data from over 150 Subway stores and stole information for over 146,000 credit card accounts. The current damage is thought to be over $10 million.
The scam involved scanning the internet for specific applications that were known to have security weaknesses. Once a system was identified, the password was cracked and the hackers installed a keystroke logger that was able to record different transactions including payment information. Once the credit card information was stolen, it was then possible to sell to any number of people.
Analysis:
The security issues in this article relate to a myriad of issues discussed in class. First of all, the techniques the hackers used in order to break into the system were not very complicated and could have been purchased over the internet. The hackers specifically targeted a certain remote desktop application that had a security weakness. Each Subway franchise was responsible for complying with PCI standards as they accepted credit card payments. However, since Subway did not store the credit card information, and at the franchise level were very small, they were not audited. Subway did have a corporate policy forbidding the type of software that was hacked, but individual franchisees deliberately installed software that was available through the internet and was less expensive than the software recommended by the corporation. If the corporation would have insisted on random internal audits of the individual POS systems, it is possible that they could have discovered the issue much earlier. Additionally, once the prohibited software was found, there could have been a corporation wide agenda to shut the program down within their stores. In addition to installing prohibited software, the passwords used in the software were most likely not adequate. Although there is not definitive evidence of faulty passwords, it the passwords were set in accordance with standard policies, the hack may not have been as pervasive.
Once the passwords were cracked, it was easy for the hackers to gain access to the system and install keystroke loggers as well as additional malware that would allow continuous access and prohibit any security updates. However, the hackers pushed the stolen information into “dump” sites which had highly suspicious names. If there was any monitoring of the traffic on these systems by IT security personnel, the fraud would have been caught much sooner. There were multiple failures on the part of Subway’s IT Security as well as at the franchisee level. As we have discussed before, a corporation must protect from all forms of hackers but a hacker only needs one weakness to commit a large scale crime. This story is an example of multiple weakest- link failures; from the installing of a prohibited program that overrode all additional PCI controls to the lack of monitoring of traffic at the corporate level.
Executive Summary:
Two men from Romania have admitted to participating in the hack of Subway Restaurant’s and will be spending a considerable time in prison. The events, which happened from 2009 through 2011, hacked data from over 150 Subway stores and stole information for over 146,000 credit card accounts. The current damage is thought to be over $10 million.
The scam involved scanning the internet for specific applications that were known to have security weaknesses. Once a system was identified, the password was cracked and the hackers installed a keystroke logger that was able to record different transactions including payment information. Once the credit card information was stolen, it was then possible to sell to any number of people.
Analysis:
The security issues in this article relate to a myriad of issues discussed in class. First of all, the techniques the hackers used in order to break into the system were not very complicated and could have been purchased over the internet. The hackers specifically targeted a certain remote desktop application that had a security weakness. Each Subway franchise was responsible for complying with PCI standards as they accepted credit card payments. However, since Subway did not store the credit card information, and at the franchise level were very small, they were not audited. Subway did have a corporate policy forbidding the type of software that was hacked, but individual franchisees deliberately installed software that was available through the internet and was less expensive than the software recommended by the corporation. If the corporation would have insisted on random internal audits of the individual POS systems, it is possible that they could have discovered the issue much earlier. Additionally, once the prohibited software was found, there could have been a corporation wide agenda to shut the program down within their stores. In addition to installing prohibited software, the passwords used in the software were most likely not adequate. Although there is not definitive evidence of faulty passwords, it the passwords were set in accordance with standard policies, the hack may not have been as pervasive.
Once the passwords were cracked, it was easy for the hackers to gain access to the system and install keystroke loggers as well as additional malware that would allow continuous access and prohibit any security updates. However, the hackers pushed the stolen information into “dump” sites which had highly suspicious names. If there was any monitoring of the traffic on these systems by IT security personnel, the fraud would have been caught much sooner. There were multiple failures on the part of Subway’s IT Security as well as at the franchisee level. As we have discussed before, a corporation must protect from all forms of hackers but a hacker only needs one weakness to commit a large scale crime. This story is an example of multiple weakest- link failures; from the installing of a prohibited program that overrode all additional PCI controls to the lack of monitoring of traffic at the corporate level.